CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4124 matches found

AstraLinux•added 2026/05/20 5:53 a.m.•2 views

Astra Linux - уязвимость в chromium

Inappropriate implementation in the Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data through a crafted HTML page...

4.3CVSS6.6AI score0.00398EPSS

Exploits0References2

AstraLinux•added 2026/05/20 5:53 a.m.•1 views

Astra Linux - уязвимость в libonig

A issue was discovered in Oniguruma 6.x before 6.9.4rc2. In the function fetchintervalquantifier formerly known as fetchrangequantifier in regparse.c, PFETCH is called without checking PEND. This leads to a buffer overflow issue based on the heap mechanism...

7.5CVSS6.9AI score0.08946EPSS

Exploits1References2

OSSF Malicious Packages•added 2026/05/20 5:46 a.m.•5 views

Malicious code in react-tracked-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage:...

6.1AI score

Exploits0References1

OSV•added 2026/05/20 5:38 a.m.•4 views

MAL-2026-4648 Malicious code in promptbook-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f428561fb8f2d776b815262884ea9cb4fd1f39f616adbd0716ce64377d44ca38 dist/api.js contains a hardcoded outbound fetch to https://promts.newtechcompany.ru that carries data derived from process.env. The destination is an...

5.8AI score

Exploits0References1

OSSF Malicious Packages•added 2026/05/20 5:38 a.m.•4 views

Malicious code in promptbook-cli (npm)

5.8AI score

Exploits0References1

OSSF Malicious Packages•added 2026/05/20 5:31 a.m.•3 views

Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...

5.8AI score

Exploits0References1

OSV•added 2026/05/20 5:31 a.m.•3 views

MAL-2026-4649 Malicious code in promptbook-mcp (npm)

5.8AI score

Exploits0References1

OSV•added 2026/05/20 2:15 a.m.•2 views

MAL-2026-4468 Malicious code in @wengine-ai/claude-code-router-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45e362000d036139e02a066a82ec157314a07796e0e855cdce184cc081ca4591 dist/index.js line 14 issues a fetch call to https://pub-0dc3e1677e894f07bbea11b17a29e032.r2.dev, an anonymous Cloudflare R2 bucket, and references...

6AI score

Exploits0References7

OSSF Malicious Packages•added 2026/05/20 2:15 a.m.•5 views

Malicious code in @wengine-ai/claude-code-router-shared (npm)

6AI score

Exploits0References7

OSSF Malicious Packages•added 2026/05/20 1:56 a.m.•5 views

Malicious code in pulse-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99 [email protected] declares a postinstall hook node./lib/core/eval.js that on npm install issues fetch'http://localhost:3000/download/data', reads th...

5.9AI score

Exploits0References3

Vulnrichment•added 2026/05/20 1:25 a.m.•4 views

CVE-2026-6394 Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...

5.4CVSS5.9AI score0.001EPSS

Exploits0References7

OSV•added 2026/05/20 1:18 a.m.•2 views

MAL-2026-4443 Malicious code in @shinzepelly/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f Package impersonates the legitimate libsignal-node library description copied verbatim: "Open Whisper Systems' libsignal for Node.js" under an...

5.8AI score

Exploits0References1

OSV•added 2026/05/20 1:9 a.m.•2 views

MAL-2026-4571 Malicious code in get-deps-path (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...

6.2AI score

Exploits0References6

OSSF Malicious Packages•added 2026/05/20 1:9 a.m.•6 views

Malicious code in get-deps-path (npm)

6.2AI score

Exploits0References6

OSSF Malicious Packages•added 2026/05/20 12:44 a.m.•6 views

Malicious code in @mcpassure/mcp-cnes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 243d5ff1424c2d147ee05781c1889b007eb30e22a190bf6dc3973b676ea697a7 dist/bootstrap.js performs a fetch against https://pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev, an anonymous Cloudflare R2 bucket with no publisher...

5.9AI score

Exploits0References11

OSSF Malicious Packages•added 2026/05/20 12:39 a.m.•4 views

Malicious code in @mcpassure/mcp-anvisa-bulario (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938 dist/bootstrap.js references a hardcoded URL on pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev — an anonymous Cloudflare R2 bucket — and calls fetch...

5.9AI score

Exploits0References10

OSV•added 2026/05/19 8:9 p.m.•1 views

GHSA-QG89-QWWH-5F3J SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl

Resolution SillyTavern 1.18.0 added a generic server-side request filter Private Request Whitelisting. Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is...

8.5CVSS6AI score0.02589EPSS

Exploits0References2

OSV•added 2026/05/19 7:5 p.m.•5 views

MAL-2026-4531 Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

6.3AI score

Exploits0References3

OSSF Malicious Packages•added 2026/05/19 6:58 p.m.•6 views

Malicious code in crypto-hash-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 208571de648a5ef9d7b4ae7b6f83151d9c2272f75fc16b42faa75a352ded2e08 Package name and metadata impersonate Sindre Sorhus's legitimate crypto-hash package forged author Sindre Sorhus and repository...

6.2AI score

Exploits0References1

OSSF Malicious Packages•added 2026/05/19 5:52 p.m.•6 views

Malicious code in corelia (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b637971f597ba9572b4cecfab0de4981d19620d585b1958b1bb37b004fae8f The package impersonates the popular pino logger README header 'corelia Pino', homepage https://getpino.io, main file pino.js, npm version badge...

6AI score

Exploits0References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by